RE: Questions on TroopMaster DotNet Security

I have used DotNet for about a year and have been forced to learn more about its inner workings than I wanted. I understand your concerns. Given the level of security you are suggesting is needed, I don't think DotNet will address each point to your satisfaction.

I am curious though...when you email your database around do you use certificate-base encryption to ensure security? If you use USB keys to move the database around, how do you guard against lost keys. What about people who use work computers (domain admins know much)? What about lost/reclaimed laptops? Are your TM users bonded?

Security is always a concern when working with sensitive data. There is always room for improvement. In the end it is a risk-reward decision balancing the sensitivity of the data with the barriers imposed by security measures.

As an alternative you can eliminate photos, SSN's and drivers licence numbers (medical info too) from TM leaving only data that could be discovered via Google...or even a trip to Council office requesting a Troop roster. This will retain 90% of TM's functionality.

Peter

To: tmtug@...
From: zheaton@...
Date: Mon, 25 May 2009 22:38:44 -0400
Subject: [TMTUG] Questions on TroopMaster DotNet Security




















   
           
           


     
      All,



I am an ASM with a Troop that is considering purchasing a TroopMaster  

DotNet license to supplement our existing Troopmaster license.  I'm  

concerned about the security implications of regularly transmitting  

Troop personal data across the Internet, and have reviewed the  

TroopMaster DotNet literature and FAQs to determine what steps  

TroopMaster takes to secure personal data.  Unfortunately, what I've  

read so far has not been fully enlightening.  Can anyone, either a  

savvy customer or a TroopMaster employee, answer some of the following  

questions:



1.) Does DotNet connect to the FTP server used to store the data file  

using standard (unencrypted) FTP, or does it use SFTP or FTPS  

(encrypted) connections to secure the FTP login information?  If  

standard FTP is used, then sniffing the FTP passwords from network  

traffic would be trivial for an attacker, and the entire security  

scheme hinges on the strength of the data file encryption.



2.) The TroopMaster website states that data files can be encrypted  

using 256-bit AES encryption.  However, TroopMaster also provides a  

password recovery service <http://www.troopmaster.com/password/> which  

can recover the data encryption password.  This implies either the  

existence of a global "unlock" password, or a key generation algorithm  

which can generate "unlock" passwords from TroopMaster license  

information.  Since having this global password or algorithm would  

enable an attacker to unlock any TroopMaster data file anywhere, how  

is this global password secured?  Is the number of TroopMaster  

employees with access to this key limited?  If a key generation  

algorithm has been used, has the algorithm design been audited by a  

recognized cryptographic expert?



3.) The DotNet website has this to say on the advantages of using the  

TroopMaster FTP site:



> For all of our versions of DotNet, security is further enhanced if  

> you rent your FTP site directly from Troopmaster Software because we  

> don't release the actual location of the server to anyone. The site  

> can only be used by and for DotNet.



This statement seems nonsensical - packet sniffing of the data  

transfer from a TroopMaster client would trivially reveal the IP  

address of the server, which in turn would probably reveal the  

physical location (or at least the datacenter) of the server  

hardware.  What location is being protected here, how, and why?  If  

the server is properly secured, how does hiding the server location  

improve the security of the data?



4.) The DotNet website says that it is possible to block sensitive  

data fields (SSNs, driver license numbers) from certain users.  Are  

these restrictions cryptographically enforced, or are they only  

enforced by TroopMaster permissions-checking logic?  If the latter,  

has the possibility of unauthorized users recovering sensitive data  

either by reverse-engineering the file format or by examining program  

state using a debugger been considered and addressed?



Thanks in advance for any light you can shed on these issues - I'm  

intrigued by the capabilities that DotNet provides, but I want to make  

sure that we're appropriately protecting Scout personal information.



Regards,

Zach Heaton